So you’ve probably been hearing a lot about the heartbleed vulnerability, which is quite possibly the most poorly named security problem in the history of the internet. The media has been covering heartbleed a lot lately, which is fine, people should know about it, but the goal of this article is to help people who don’t spend their days recompiling linux kernels understand the problem and how to protect themselves.
note: The goal of this article is clarity, not extreme accuracy. I’m going to gloss over a lot of very technical concerns because they aren’t relevant. If you have a unix beard (or know what a unix beard is) you can ignore this article.
First of all, how bad is heartbleed?
It’s bad. It’s really bad. It’s quote scenes from Ghostbusters bad.
But my favorite websites emailed me and said that it wasn’t a problem for them, or that they had already patched it. Doesn’t that mean that I’m in the clear?
Unfortunately… No. The first thing you have to understand is that this vulnerability had existed for a while before the good guys caught. That means that it’s not known if someone else caught it first.
Imagine you have a building with a large scary fence to keep Justin Bieber fans out. You store all of your favorite albums in this building and feel like it’s a really safe place for them. One day you notice that there is a huge hole in the fence in a corner where you never visit. You patch the hole, but what about the hordes of Justin Bieber fans? Did they find the hole? What if they had spent the last few years running around your fence, looking for holes? Now they’re in your building, listening to your Nirvana albums. NOT COOL.
Now let’s take our analogy further, and along with your favorite albums you also stored the keys to all of your other buildings where you store really important things like bank account information, social security cards, and medical records. Also, the Justin Bieber fans have been replaced with genuinely evil people who desperately want to do bad things with your information.
What, how did they get my keys? You’re really beating this analogy to death.
A lot of people reuse passwords, because let’s face it, remembering passwords is a pain. The problem is that if you used the same password for your tumblr as you did for your bank account, someone now has access to both. Even if your bank’s website wasn’t affected by the heartbleed vulnerability directly.
What should I do?
Seriously. Change your passwords. Change all of your passwords, and this time don’t repeat any of them.
That’s a colossal pain.
Yep. Sorry. If it makes you feel any better I’m changing all of mine and my current total number of passwords is about 200+
Is there anything else that I can do to prevent this?
- First of all enable two factor authentication on as many of your accounts as possible.
- Don’t reuse passwords
- Use a secure password generator like lastpass to make your passwords safer.